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We improve the precision of a previous Control Flow Analysis for Brane Calculi @, by adding 
information on the context and introducing causality information on the membranes. This allows us 
to prove some biological properties on the behaviour of systems specified in Brane Calculi. 



1 Introduction 

In ||6l Cardelli introduced a family of process calculi, called Brane Calculi, endowed with dynamically 
nested membranes, focussing on the interactions that happen on membranes rather than inside them. 
Brane calculi offer a suitable and formal setting for investigating the behaviour of the specified systems, 
in order to establish the biological properties of interest. Nevertheless, since the behaviour of a system 
is usually given in terms of its transition system, whose size can be huge, especially when modelling 
complex biological systems, its exploration can be computationally hard. One possible solution con- 
sists in resorting to static techniques to extract information on the dynamic behaviour and to check the 
related dynamic properties, without actually running the corresponding program. The price is a loss in 
precision, because these techniques can only provide approximations of the behaviour. However, we can 
exploit static results to perform a sort of preliminary and not too much expensive screening of in silico 
experiments. In the tradition 1 13] of applying static techniques to process calculi used in modelling bi- 
ological phenomena, we present here a contextual and less approximate extension of the Control Flow 
Analysis for Brane Calculi introduced in Q. Control Flow Analysis (CFA) is a static technique, based 
on Flow Logic llT2l . that provides a variety of automatic and decidable methods and tools for analysing 
properties of computing systems. One of the advantages of the CFA is that the obtained information on 
the behaviour are quite general. As a consequence, a single analysis can suffice for verifying a variety of 
properties: different inspections of the CFA results permit to check different properties, with no need of 
re-analysing it several times. Only the values of interest tracked for testing change accordingly and the 
definitions of the static counterparts of the dynamic properties must be provided. Control Flow Analysis 
provides indeed a safe over-approximation of the exact behaviour of a system, in terms of the possible 
reachable configurations. That is, at least all the valid behaviours are captured. More precisely, all those 
events that the analysis does not consider as possible will never occur. On the other hand, the set of 
events deemed as possible may, or may not, occur in the actual dynamic evolution of the system. To 
this end we have improved the precision of the CFA in iH, by adding information on the context (along 
the lines of lITSl ) and introducing causality information on the membranes. Also, this extra-information 
allows us to refine the static checking of properties related to the spatial structure of membranes. Further- 
more, we focus on causality, since we believe it plays a key role in the understanding of the behaviour of 
biological systems, in our case specified in a process algebra like the Brane one. In order to investigate 
the possibilities of our CFA to capture some kinds of causal dependencies arising in the MBD version of 
Brane Calculi, we follow Q and its classification, by applying the analysis to the same key examples. 
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We observe that the analysis is able to capture some of these dependencies. This is a small improvement 
in the direction of giving some causal structure to the usually flat CFA results. The gain in precision is 
paid in terms of complexity: the presented analysis is rather expensive from a computational point of 
view. 

The paper gets in the research stream dedicated to the application of static techniques and, in partic- 
ular, Control Flow Analysis to bio-inspired process calculi e.g., |[T3l [3]|. Similar to ours are the works 
devoted to the analysis of BioAmbients [ 1 8 1 . In particular, [15], where the authors introduce a contextual 
CFA and f\M where a pathway analysis is exploited for investigating causal properties. BioAmbients are 
analysed using instead Abstract Interpretation in |I71[8j[9l. The analysis presented in iH records infor- 
mation on the number of occurrences of objects and therefore is able to capture quantitative and causal 
aspects, necessary to reason on the temporal and spatial structure of processes. In [8 |, in a different 
context, the behaviour of processes is safely approximated and the properties of a fragment of Compu- 
tation Tree Logic is preserved. This makes it possible to address temporal properties and therefore some 
kinds of causality. Finally, [9] presents a static analysis that computes an abstract transition systems for 
BioAmbients processes, able to validate temporal properties. Our choice of the Brane calculi depends 
on the fact they have resulted to be particularly useful for modelling and reasoning about a large class 
of biological systems, such as the one of the eukaryotic cells that, differently from the prokaryotes, pos- 
sess a set of internal membranes. Among the first formalisms used to investigate biological membranes 
there are the P Systems [14], introduced by Paun, which formalise distributed parallel computations 
biologically-inspired: a biological system is seen as a complex hierarchical structure of nested mem- 
branes inspired by the structure of living cells. Finally, besides Brane, there are other calculi of interest 
for our approach, that have been specifically defined for modelling biological structures such as com- 
partments and membranes, e.g., an extension [11 J of K"-calculus [.10,1 . Beta Binders [ 17 1 and the Calculus 
of Looping Sequences 12]. 

The rest of the paper is organised as follows. In Section [2] we present the MBD version of Brane 
Calculi. We introduce the Control Flow Analysis in Section [3] In Section [4j we exploit our analysis to 
check some properties related to the hierarchical structure of Brane processes. In Section [5] we discuss 
on which kind of causal information our CFA can capture. In Section[6j the static treatment of Brane PEP 
action is added and the whole analysis is applied to a model of infective cycle of the Semliki Forest Virus. 
Section [Tjpresents some concluding remarks. Proofs of theorems and lemmata presented throughout the 
paper are collected in Appendix [A] 

2 An overview on Brane Calculi 

The Brane Calculi [[61 are a family of calculi defined to describe the interaction amongst membraned com- 
ponent. Specifically, the membrane interactions are explicitly described by means of a set of membrane- 
based interaction capabilities. A system consists of nested membranes, as described by the following 
syntax, where n is taken from a countable set A of names. 

P,Q ::= o\PoQ\\P\o{P)^ systems n 

(7,T ::= I g\x I !a | a. a membrane processes Z 

a,b ::= mat en \ mate^ \ bud„ \ bud^{p) \ drip{p) MBD actions 'Embd 

The basic structure of a system consists of (sub-)system composition, represented by the monoidal op- 
erator o (associative, commutative and with o as neutral element). Replication ! is used to represent the 
composition of an unbounded number of systems or membrane processes. o{P)^ is a membrane with 
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( J^y^ ,0,0) is a commutative monoid 


{^/= , , 0) is a commutative monoid 




'0 = 


\{PoQ) =\Po\Q 


!(fT t) =!c7 !t 


\\P = \P 


!!c7=!fT 


\P = Po \P 


!C7 = C7 !C7 






C7 = T =^ a\p = tip 


P = Q^PoR = QaR 


C7 = T ^!f7 =!t 


P = Q^\P = \Q 


C7 = T ^ a. (J = a.'C 


P=Qhcs=i:^ a{PY = T(e)f 



Table 1 : Structural Congruence for Brane Calculi. 



content P and interaction capabilities represented by the process o. Note that, following HI, we annotate 
membranes with a unique label /i so as to distinguish the different syntactic occurrences of a membrane. 
Note that these labels have no semantic meaning, but they are useful for our CFA. We refer to /i G M 
as the identity of the membrane a{P)^, where M is the finite set of membrane identities. We assume 
that each considered system is contained in an ideal outermost membrane, identified by a distinguished 
element * G M. 

Membranes exhibit interaction capabilities, like the MBD set of actions that model membrane fusion 
and splitting. The former is modelled by the mating operation, the latter can be rendered both by budding, 
that consists in splitting off exactly one internal membrane, and dripping, that consists in splitting off 
one empty membrane. For the sake of simplicity, we focus here on the fragment of the calculus without 
communication primitives and molecular complexes, and with only the MBD actions. The treatment 
of the alternative set of PEP actions is analogous and it is postponed to Section [5j where it is briefly 
introduced. 

Membrane processes cr consist of the empty process 0, the parallel composition of two processes, 
represented by the monoidal | operator with as neutral element, the replication of a process and of the 
process that executes an interaction action a and then behaves as another process a. Actions for mating 
(maten) and budding {budn) have the corresponding co-actions {mate^, bud^ resp.) to synchronise with. 
Here n, which identifies a pair of complementary action and co-action that can interact, is taken from a 
countable set A of names. The actions bud^{p) and drip{p) are equipped with a process p associated 
to the membrane that will be created when performing budding and dripping actions. 

The semantics of the calculi is given in terms of a transition system defined up to a structural con- 
gruence and reduction rules. The standard structural congruence = on systems H and membranes S is 
the least congruence satisfying the clauses in Table [T] Reduction rules complete the definition of the 
interleaving semantics. They consist of the basic reaction rules, valid for all brane calculi (upper part of 
Table [2]) and by the reaction axioms for the MBD version (lower part of Table |2]l. We use the symbol 
for the reflexive and transitive closure of the transition relation — )•. 

They are quite self-explanatory and we make only a few observations about the labels treatment. 
Given a system, the set of its membrane identities is finite. Indeed, the structural congruence rule im- 
poses that \o{P)^ = o{P)^ o \o{P)^, i.e. no new identity label }JL is introduced by recursive calls. A 
distinguished membrane identity is needed each time a new membrane is generated as a consequence 
of a performed action, e.g. the new membrane obtained by the fusion of two membranes after a mate 
synchronisation. To determine such labels we exploit the functions Mlmate, Mlbud, and Mldrip that re- 
turn fresh and distinct membrane identities, depending on the actions and on their syntactic contexts Q. 
Recall that the number of needed membrane identities is finite, as finite are the possible combinations 
of actions and contexts. Therefore, we choose these functions in such a way that, given an action and 
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(Par) 
P- 



Q 



PoR^QoR 



(Brane) 
P^Q 



{Struct) 

P = P' A P' -^Q' A (/ = Q 
P^Q 



(Mate) maten.o\ao{P)^'' ornate^ .t:\to{Q)^'s a|ao|T|To(Po 0^''=e 

where /ipg = Mlmate (mat en , jXp , mate^ ,lJ.Q,lJ.gp,Hp,n), 

H identifies tiie closest membrane surrounding /ip and /Iq in the context jUgp/ip 
(Bud) bud^ (p ) . T I To {hudn .o\oq{PY'' o Q)^Q ^ p {o\oo{P)^'')^'' o t:\xq{Q)^Q 

where /Ir = Mlbud {budn , lip , bud^ ,HQ,Hgp,Hp,n), 
fi identifies the closest membrane surrounding Hq in the context jigpl^p 
(Drip) drip{p).o\OQ{PY'' piY" o a|ao(P)^'' 

where /Ir = Mldnp {drip {p),iXp,iXgp,iXp,}x), 

jj. identifies the closest membrane surrounding Hp in the context pigppip 



Table 2: Reduction Semantics for Brane Calculi. 



the identities of the membranes on which the action (and the corresponding co-action, if any) reside, the 
function includes the membrane identity needed to identify the membrane obtained by firing that action. 



3 A Contextual CFA for Brane Calculi 

We present an extension of the Control Flow Analysis (CFA), introduced in |@1 for analysing system 
specified in Brane Calculi. The analysis over- approximates all the possible behaviour of a top-level sys- 
tem P*. In particular, the analysis keeps track of the possible contents of each membrane, thus taking 
care of the possible modifications of the containment hierarchy due to the dynamics. The new analysis, 
following |[T5l . incorporates context in the style of 2CFA, thus increasing the precision of the approx- 
imations w.r.t. llH. Furthermore, the analysis exploits some causality information to further reduce the 
degree of approximation. A localised approximation of the contents of a membrane or estimate J' is 
defined as follows: 

J^CMxMxMx (MUSmbd) 

Here, /i^ G {\igp^\ip^\i) (that is {\igp^\ip^\i^\i^ G J^) means that the membrane identified by \i may 
surround the membrane identified by /i,, whenever \i is surrounded by \ip and \lp is surrounded by \igp. 
The outermost membranes \lgp\lp represent what is called the context and that amounts to ** when the 
analysed membrane is at top-level. Moreover, a G ,^ {\igp^\ip^\i) means that the action a may reside on 
and affect the membrane identified by /i, in the context \lgp\ip. Furthermore, the analysis collects two 
types of some causality information: 

• An approximation of the possible causal circumstances in which a membrane can arise: 

^ ^ (Smbd X M X Smbd xMxMxMxM)i±) (Smbd xMxMxMxM) 

Here (a„,jUp,a^,/^Q,^gp,/Xp,/x) G ^(Mc) means that the membrane \ic can be causally derivedhy 
the firing of the action a„ in Hp and the coaction a^ in /Iq, in the context /igp/Xp,/x. Similarly, 
(a„,/ip,/Xgp,/ip,/i) G ^{Hc) for an action a„ like drip, without a co-action. 
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• An approximation of the possible membrane incompatibilities: 

^ C (M X M X M) X (M X M X M) 

Here, G M means that the membrane \i in the context \lgp\lp cannot 

interact with the membrane /i in the context HgpUp, because the second membrane is obtained 
from the first and the first one is dissolved. 

Note that 'tf and ^ are two strict order relations, thus only transitivity property holds. To validate 
the correctness of a proposed estimate J^, we state a set of clauses operating upon judgements like 
J^,'i^,^ \=f^sp>^p^ p. This judgement expresses that when the subprocess P of is enclosed within a 
membrane identified by e M, in the context pigppip G M x M, then .y correctly captures the behaviour 
of P, i.e. the estimate is valid also for all the states Q passed through a computation of P. 

The analysis is specified in two phases. First, it checks that describes the initial process. This 
is done in the upper part of Table [3j where the clauses amount to a syntax-driven structural traversal 
of process specification. The clauses rely on the auxiliary function A that collects all the actions in a 
membrane process a and that is reported at the beginning of Table [3] Note that the actions collected 
by A, e.g., in a = ao.CJi are equal to the ones in o' = ao|cTi, witnessing the fact that here the analysis 
introduces some imprecision and approximation, he clause for membrane system o{P)^' checks that 
whenever a membrane /i., is introduced inside a membrane pL, in the context pLgp^pLp the relative hierarchy 
position must be reflected in J^, i.e. /i., G ^ {iJLgp,}jLp,}x). Furthermore, the actions in a that affect the 
membrane /i^ and that are collected in A(a), are recorded in J^(/ip,/i,/ii). Finally, when inspecting the 
content P, the fact that the enclosing membrane is /i., in the context pLppL is recorded, as reflected by 
the judgement J? |=Mp/JM! p xhe rule for o does not restrict the analysis result, while the rules 
for parallel composition o, and replication ! ensure that the analysis also holds for the immediate sub- 
systems, by ensuring their traversal. In particular, note that the analysis of \P is equal to the one of P. 
This is another source of imprecision. 

Secondly, the analysis checks that also takes into account the dynamics of the process under 
consideration; in particular, the dynamics of the containment hierarchy of membranes. This is expressed 
by the closure conditions in the lower part of Table [3] that mimic the semantics, by modelling, without 
exceeding the precision boundaries of the analysis, the semantic preconditions and the consequences of 
the possible actions. More precisely, each precondition checks whether a pair of complementary actions 
could possibly enable the firing of a transition according to J^. The conclusion imposes the additional 
requirements on that are necessary to give a valid prediction of the analysed action. 

Consider e.g., the clause for {Mate) (the other clauses are similar). If (i) there exists an occurrence of 
amate action: mate^ G J^(/ip,/i,/ip); (ii) there exists an occurrence of the corresponding co-mate action: 
mate^ G J^{IJ.p,IJ.,IXq); (iii) the corresponding membranes are siblings: iUp,/^e G ^ {l^gp^l^p^l^)^ (iv) the 
redexes are not incompatible, i.e. the corresponding membranes can interact: {{}jLp,}jL,}jLp), {ji.p,iJL,}jLQ)) 
1% then the conclusion of the clause expresses the effects of performing the transition {Mate). In this 
case, we have that must reflect that (i) there may exist a membrane pLpQ inside }JL, in the context pigp}lp, 
at the same nesting level of the membranes pLp and plq; and (ii) the contents of pLp and of }JLq, their children 
and their grandchildren, may also be included in /ipg. Note that the contribution changes depending on 
whether we consider pLp {pLq, resp.), their children or their grandchildren. With the inclusion ,y{pL,pLp) C 
^{IJL^IJLpq) we mean that for each }JLs in the context pL,pip, all the elements in ^ {}JL,}JLp,}JLs) are included 
in J^{iJ.,iJ.pQ,iJ.s). Similarly, with ^{pip) C ^{ijlpq) we mean that for each jigs in the context pLppLs, and 
in turn for each jx^ in the context /i,/ip, all the elements in J^{np,Hs,Hgs) belong to ^(/Xpg,/ii,/igi). We 
use a similar notation for the relation ^. (iii) The membrane ^pq is the result of the transition {Mate), 
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A(O)=0 A{a.a) = {a}UA{a) A{\a)=A{a) A(c7o|c7i) = A((7o) UA(cri) 



J,'€,M t='^spA'pMo iff true 

^ ,M ^^^pi'p^ \P iff ^''^"'^"^P 

j^,^,^ a{P)^^ iff e y{Hgp,Hp,n) A A((7) c y{np,n,n,) A J^,'^,^ p 

(Ma?e) G {lip, 11, Hp) Amate^ G A/ip,/iQ G J^{Hgp,Hp,n) A 

{{lip,H,Hp),{lXp,H,HQ)) 

^ /XpQ G J^{Hgp,Hp,H) where /Xpq = MIiaate{maten,llp,mate^,HQ,Hgp,Hp,lJ.) A 
{lip, II, lip) C J?{iip,ii,iipQ)AJ?{ii,iip) C J{ii,iipq)aJ{iip) C ^(jUpq) 

-i^(Mp,M,Me) ^ -^(Mp,M,Mpq) A^(Ai,AiG) ^ J^{ii,iipq) AJ^{iiq) C J^(/ipQ) 
A {mate,,, lip, mate^,llQ,llgp, lip, ll) G '^{IIpq) A 
{{lip, II, lip), {iip,ii,iLpQ)), {{iIp,ii,iiq),{Hp,h,ilpq)) g ^ a 
((Ai,Aip), (jU,Mpe))' ((Ai,Aie)> iP-^^Po)) e ^ 

(SmJ) W„ G J'{ll,llQ,llp)Abud^{p) G {lip, II, Hq) A lip G ,f {llp,ll,llQ) Apiq G J {llgp,llp,ll) 
^lipe J{iigp,iip,ii) where /Ir = Mh^a{budn,lip,bud^{p),iiQ,iigp,iip,ii) A 
A{p) C J' {lip, II, Hp) A lip G J^{llp,ll,llR) A 
J^{ll,llQ,llp) C J^{ii,iiR,iip) A J^{llQ,llp) C ^{hr,Hp) 
A {budn,llp,bud^{p),llQ,llgp,llp,ll) G "^(^1/?) 
A {{i1,IIq,IIp),{iI,Hr,Hp)) e M A {{HQ,llp),{llR,llp))eM 

{Drip) drip{p) G J {lip, II, lip) A lip G J {llgp,llp,ll) 

^llpe J{llgp,llp,ll) where /i^ = MIdrip(6?n>(p),/ip,/igp,/ip,jU) A A(p) C J {iip,ii,iiR) 
A {drip{p),Hp,Hgp,Hp,ii) G '^(mr) 



Table 3: Analysis for Brane Processes 



performed by the two membranes /Xp and /Xq, in the context iigpiipii, as witnessed by the corresponding 
entry in the component ^; (iv) the new membrane /ip^ is incompatible with the /ip and /ij2, because /ipj2, 
derived by the transition {Mate), follows both /ip and /ig. Note the similar incompatibility between the 
membrane lip in the context /i/ig before the (BmJ) transition and the derived one lip in the context llllp. 
The above requirements correspond to the appUcation of the semantic rule {Mate) that would result in 
the fusion of the two membranes. 

Note that, since the new membrane iipq inherits the prefix actions that affected the membranes iip 
and llQ, it inherits also maten and mate^ (we write in red this kind of imprecise inclusions). This is 
due to over-approximation, even though it is harmless: the two prefix actions cannot be further used to 
predict a communication because they both occur in ^ {iip,ii,iipQ). Still, the presence of both matCn G 
^ {lip, II, lip) and mate^ G J^{llp,ll,llpQ) could lead to predict another interaction that is impossible at 
run time. Thanks to we can safely exclude it, thus gaining precision. This gain is obtained in general: 
^ collects indeed pairs of capabilities that could be syntactically compatible with an interaction, but that 
cannot really interact, because they dynamically occur in membranes that are not simultaneously present. 
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^{*,*,lj.p),lj.p,lj.Qe 












= 0,1) 






mate„ 


G J^(*,*,;U/>), 








mate^ 


G J^(*,*,;Ug), J^(* 








budm 


G ^{*,^lp,HPo), y{* 




J?{*,n\^^,lip^), 






G J^{*,*,IJ.p), J^{* 


*,IJ-pq), 






budo 


G J{*,llp,llp^), 


li-PQ^li-Pl), 






bud^{p2) 


G J^(*,*,/lg), J^(* 


*,lipQ), 






((*,*,M/>),( 








((*,*,^2),(*,*,;U/.e)) Gi^ 




,{*,jXpQ,jXp^))£M 






((*,Mf,M/',),(*,Mpe,MPi)) 



(*,Aip,Ai/.o),(*,M«i,Ai/'o) G-^^ 
maten,IJ.p,niate^,IJ.Q, *,*,*) G '^{jJ-pg) 



{{*,Hp,Hp,),{*,Hr2,^p^)) 
{budo, lJ.p^,bud^,IJ.PQ, G ^(Mm) 



budm,IJ.Po,bud^,jJ.PQ,' 



«1> 



Table 4: Some entries of the Example 1 Analysis 



The gain in precision is paid in terms of complexity: the presented analysis is rather expensive from 
a computational point of view, due to the introduction of contexts and to the possibly high number of 
different membrane names. Both these features may lead to an explosion of the possible reachable 
configurations. 

Example 1. To illustrate how our CFA work we use two simple examples. The emphasis is on the process 
algebraic structures and not on their biological expressiveness. We first report an application of it to a 
simple process P, illustrated in ^ ( and in turn taken from /O/ ). We consider P and the following possible 
computations, where pi and p2 are not specified as they are not relevant here. 

P = {maten\bud^{pi)){bud,„{)^''oobuda{)^''^)^'' o {mateJ^\bud^{p2)){)^o 
Pi = {budi{pi)\bud^{p2)){budm{f''^obudo{)^''^ oo)^'=e ^ 



P2 = pi{{)i'^)^R^ obud^{p2)){budo{)^''^ OO^PQ 
P = {maten\bud^,{py)){bud,n{)^''oobudo{)^''^ o 



budn 



imate^\bud^ip2)){)^^ 



bud,,, 



P{ = Pi{{)^''o)^Ri omateniibudo)^''')^'' o {mate:t\bud^{p2)){)^^ 

^2 =Pl(()^™)''^' obud^{p2){{budo)^'^)^''^ 



matCm 



bud„ 



The main entries of the analysis are reported in Table^ where ** identifies the ideal outermost context 
in which the system top-level membranes are. We write in red the entries due to approximations, but 
not reflecting the dynamics. Furthermore, we pair the inclusions of actions and of the corresponding 
co-actions, in order to emphasise which are the pairs of prefixes that lead to the prediction of a possible 
communication. It is easy to check that J? is a valid estimate by following the two stage procedure 
explained above. 

To understand in which way the component refines the analysis, note that since the analysis entries 
include maten G *,IJ-pq) and mate^ G ^{*, without the check on the ^ component, we can 

predict a transition between the two membranes }Xpq and fXp. This transition is not possible instead, 
because }XpQ is causally derived by jlp. 

Note that although the CFA offers in general an over-approximation of the possible dynamic be- 
haviour, in this example the result is rather precise. The transition maten is predicted as possible, since its 
precondition requirements are satisfied. Indeed, we have that maten G *,Mp) mate^ G *)Mq)' 
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I^PoQo S ■J^{*,*,^J-pq),^J-PoQoPi g ■^(*,*>M/'g)' 

fiPoPi e J^{*,*,fiPQ),fipgp^ e J^{*,*,fip),y{*,*,fipQ), 



mate„ 


e 




*,^ip), 








mate^ 


e 












mate,„ 


e 






J{*.,llpQ.,llp^X 




IJ-PQ,IJ-PoPi) 


mate^ 


e 






J{*,llpQ,llQ^), 




^l^PQiMo)^ 


mat Cm 


€ 






y{*,ixpQ,n'p^p^), 








e 






y{^,^PQ,^Q^), 






mat Co 


e 






.y{*.,llpQ,llp^Q^), 




li-PQ,li-Po)-, 


mate^ 


e 




^p,i^Pi), 


J{*,^pQ,^p^) 




IJ-PQi^J-Pi), 



((*,*,M/>),(*,*,M/'e)) 
((*,*,Me)'(*'*'M/'e)) 

( ( * , , Mf, ) , ( * , MPg , MP, ) ) G = , 1 
{maten,IJ.p,mate^,IJ.Q, *,*,*) G '^{iIpq) 
{matCm , Upo , mate^ ,IJ.q^^,*,*, jlpg) € "^fipp^Qo ) 
(maf £>„ , /iPoPj , maf , ^Ug^ , * , * , /i/.g) g 'g' (Hp^p^ ) 
{mateo,IJ.PoQQ,mate^,IJ.Pi,*,*,IJ.PQ) e'^ {lJ.Pg q^Pi ) 
{mateo,^p^.,,mate^ ,Hp^,*,*,IXpq) e "tfipp^p,) 
{mateo,llp^^,matej^ ,llp^,*,*,jXp) € '^(Mfpf,) 



Table 5: Some entries of the Example 2 Analysis 



a«i/ /ip a?ii/ PLq are sibling and causally compatible membranes. Also the transition on budm is ini- 
tially possible and this result is actually predicted by the analysis, since budm G ^ {* , }Xp , }Xp^) and 
bud^ G J^(*,*,;Up), with pLp^ G J^(*,*,/Xp), i.e. P is the father of Pq. Instead, we can observe that 
the transition on budo cannot be performed in the initial system. Indeed, budo resides on the membrane 
jXp^ in the context *}Xp, while the coaction bud^ resides on }Xq that is not the father of Hp^. The transi- 
tion on budo can be performed instead in the membrane }Xp^ in the context *}XpQ, that is the membrane 
introduced by the previous mate,-, transition. 

Example 2. We now apply our CPA to another process P, taken from [5 /. We consider P and the 
following possible computations. 

P = maten{{matem\mate„)()^''o omate^{)^''i )'^'' o mafe,f.(mfl;fej,()'^2o)M!2 
Py = {imate,„\mateo){foomate^{)^'> omaf4()'^'2o)Mpe 
P2 = {mateo{)^''oQoomate:t{)^''' )^''' = {{fo^o'^ 

Pi = {{mate,n\mateo){)^''oomate^{)^''i omatei{)^^^)^'Q 
= {mate,n{)^'^''^ o {matei{)^Q':>Y''Q "-^ P'^ = (()'^''o'=ieo)M/=e 
P = mate,, { {mate,,, \ mateo ){)^''oo mate^ () ) o mate^ . {mate^, { ) ) Me 
P[' = mate„{matem{/'on o mate^ .{mate^^{)^^o)^^e 
P^ = {mate,„{f'''o''> omatei{)^^o)^^^o P^' = {{fk''lQo)^^pQ 
The main entries of the analysis are reported in Table where we do not include the entries due to 
approximations, but not reflecting the dynamics. As before, we pair the inclusions of actions and of the 
corresponding co-actions, in order to emphasise which are the pairs of prefixes that lead to the prediction 
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of a possible communication. This motivates some redundancies in the entries. Also in this example, the 
CFA result is rather precise. 

Semantic Correctness Our analysis is semantically correct with respect to the given semantics, i.e. a 
valid estimate enjoys the following subject reduction property with respect to the semantics. 

Theorem 1. (Subject Reduction) 

IfP ^QandJ,'i^,M \=i'>ip^pi' P then also J^,"^,^ |=m,pMpM q_ 

This result depends on the fact that analysis is invariant under the structural congruence, as stated 
below. 

Lemma 1. (Invariance ofSti-uctural Congruence) IfP = Q and we have that J^,'^,!^ |=m«p/^pM p tjig^ 
also J','^,^ |=M.„M,M Q_ 

Moreover, it is possible to prove that there always exists a least estimate (see H for a similar state- 
ment and proof). 

4 CFA for Spatial Structure Properties 

Control Flow Analysis provides indeed a safe over-approximation of the exact behaviour of a system, 
that is, at least all the valid behaviours are captured. More precisely, all those events that the analysis 
does not consider as possible will never occur. On the other hand, the set of events deemed as possible 
may, or may not, occur in the actual dynamic evolution of the system. The 2CFA gains precision w.r.t the 
OCFA presented in f4] and the incompatibility relation ^ increases this gain. In the next section, we will 
discuss on the contribution of the component 'if. 

We can exploit our analysis to check spatial structure properties, of the membranes included in the 
system under consideration. In particular, because of over-approximation, we can ask negative questions 
like whether: (i) a certain interaction capability c never affects the membrane labelled n, i.e. it never 
occurs in the membrane process of the membrane labelled /i ; (ii) the membrane labelled /i never ends 
up in the membrane labelled jj.'. 

Suppose we have all the possible labels /i of the possible membranes arising at run time. Then we can 
precisely define the above informally introduced properties. We first give the definition of the dynamic 
property, then the corresponding static property and, finally, we show that the static property implies the 
dynamic one. For each static property, we check for a particular content in the component J^. 

Definition 1 (Dynamic: c never on jj.). Given a process P including a membrane labelled }X, we say 
that the capability c never affects the membrane labelled }X if there not exists a derivative Q such that 
P — )•* Q, in which the capability c can affect the membrane labelled }X. 

Definition 2 (Static: c never on }x). Given a process P including a membrane labelled jl, we say that the 
capability c never appears on the membrane labelled }X if and only if there exists an estimate 
such that: c ^ {Hgp, Hp, jJ.) for each possible context jLigp/ip. 

Theorem 2. Given a process P including a membrane labelled }X, then if c never appears on the mem- 
brane labelled }X, then the capability c never affects the membrane labelled }l. 

Definition 3 (Dynamic: /i' never inside }x). Given a process P including a membrane labelled }l and a 
membrane labelled }x', we say that the membrane }x' never ends up inside the membrane labelled fX if 
there not exists a derivative Q such that P — )•* Q, in which jJ.' occurs inside the membrane }X. 
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Definition 4 (Static: ix' never inside /i). Given a process P including a membrane labelled n, we say 
that n' never appears inside the membrane labelled }1 if and only if there exists an estimate (^,,^,'^) 
such that: /l' ,y {^gp, Hp, n) for each possible context pigpPip. 

Theorem 3. Given a process P including a membrane labelled }X and a membrane labelled jJ.', then 
if jj,' never appears inside the membrane labelled jX, then the membrane jJ,' never ends up inside the 
membrane labelled }X. 

Back to our first running example, we can prove, for instance, tliat tlie capability bud^ never af- 
fects the membrane labelled jXp. This can be checked by looking in the CFA entries, for the content of 
J^(*, *tHp), that indeed does not include bud^. Intuitively, this explains the fact that the budg synchro- 
nisation is not syntactically possible in the context /ip, whose sub-membrane jXp^ is affected by budg- 

In our second running example, we can prove instead, for instance, that the membrane /ipoGo never 
ends up inside the membrane labelled jXp, where ^Up^go — MImate('Mafem,jUpo,ma?e,f ,/Xg„,*,*,/Xpg). In- 
deed, by inspecting the CFA results, we have that Hp^Qq J^{*,*,lJ.p). Intuitively, this corresponds to 
the fact that the matCm synchronisation is not syntactically possible in the context jXp, because jip^ and 
/igo are not siblings, while it is in the context /ipg. 

Similarly, we can mix ingredients and introduce new properties, e.g. one can ask whether two mem- 
branes labelled }Jl' and /i", never end up (occur) together in the same membrane /i. On the static side, 
this amounts to checking whether there exists an estimate (J^,^,^) such that: for all possible context 
ligplip, li' G J'{iXgp,iXp,n)An" J'{iXgp,Hp,n) or ^t' y{lXgp,Hp,n) Ajx" G J'{Hgp,Hp,n). Note that 
a single analysis can suffice for verifying all the above properties: only the values of interest tracked for 
testing change. 



5 Discussion on Causal Information 



Understanding the causal relationships between the actions performed by a process is a relevant issue for 
all process algebras used in Systems Biology. Although our CFA approximates the possible reachable 
configurations, we are able to extract some information on the causal relations among these configu- 
rations. To investigate these possibilities of our CFA, we follow O where different kinds of causal 
dependencies are described and classified, by applying our analysis to the same key examples. 

The first kinds are called structural causality and synchronisation causality and are typical of all 
process algebras. Structural causality arises from the prefix structure of terms, as in 

P = drip{c>).drip{p){)^'^ ^ (ji)^"' odripip){)^'^ ^ aQ^" o p{)^''R o {)^^^ 
where the action on drip{p) depends on the one on drip{a), since the second action is not reachable until 
the first has fired. Synchronisation causality arises when an action depends on a previous synchronisation 
as in: 

2 

P = drip{o\).maten-drip(X\)()^'''o odrip{02)-maten-drip{x2)()^'''^ — ^ 

P' = Oi{Y'^'o02{Y^'-omaten.drip{xi){f^o omaten.drip{z2){f'"^ 

p" = ai{)^"^'oa2{)^^'-o{f'o'i 
where, the mate action is possible only when both drip{o\) and drip{o2) have been performed, and 
the following drip{T\) and drip{x2) depend on the previous mate synchronisation. Our CFA is not 
able to capture these kinds of dependencies, because of the A() function definition, according to which 
A(a.T) = A(a) U A(t). In other words, the CFA disperses the order between prefixes. 

According to [51, when an action is performed on a membrane it impacts only on its continuation 
and not on the whole process on the membrane, e.g., in: 
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P = (maten\drip{o)){)^' omatej^{)^o drip{a){)^'0 ^ a{)^'< o Q^^Q 
P = {maten\drip{o)){)^'' ornate^ {Ya ^ O {Y'r o {maten){Y'' omatej, {^Q 

the drip operation can be considered causally independent form the mate operation, because it can be 
executed regardless of the fact that the mate interaction has been performed. 

Our analysis reflects this, because we have '^{Hr) 9 {drip{a),lJ.p, *,*,*) and also that ^(/x^) 3 
{drip{a),HpQ,*,*,*). 

When considering MBD actions and, in particular, the mate action, we have to do with another kind 
of causality called environmental in [5|, due to the fact that the interaction possibilities of the child 
membranes are increased by the mate synchronisation. 

Examples of this kind of causality can be observed in our running examples. In the first, for instance, 
the budo depends on the maten, as reflected by the CPA entries: '^(/Iki) 9 {budo,pip,bud^ , MQ' *' *jI^pq)' 
where ^(iXpg) 3 {maten, IJ.p,mate^,ljLQ, *,*,*). 

In the second, we can observe that the synchronisation on mate,^ cannot be performed before a syn- 
chronisation on mafe„, as captured by the following CPA entries: ^{jJip^Qi^) 3 {matem,IJ.Po,mate^,lJ.Qg,*,*,lJ.pQ), 
and '^{piPoPiQo) B {matem,pipoPi,matej^^,jJLQ^^,*,*,jJLpQ), where {mat e„, Hp, mat e:l[,lJ.Q, *,*,*) belongs to 

Pinally, in Q, a casual dependency generated by Bud (and Drip) is discussed on the following 
example: 

P = bud^{drip{a)){budn{Y'^Y'' ^bud drip{a){{)^''^Y' ° i)^' ^drip 

The bud action generates a new membrane and the corresponding actions are caused by the new mem- 
brane, as captured by the CPA entries: drip{a) G J^(*, *,IJ.r) and '^{iXr^) 3 {drip{o),}JLR, *, *, *). 

These considerations encourage us to further investigate and to formalise the static contribution of 
the CPA in establishing causal relationships. 

6 The Analysis at Work: Viral Infection 

We illustrate our approach by applying it to the abstract description of the infection cycle of the Semliki 
Porest Virus, shown in Pigure[T| as specified in |6|. The Semliki Porest Virus is one of the so-called "en- 
veloped viruses". We focus just on the first stage of the cycle and we report the analysis as given in ||4l. 
The virus, specified in Table [8j consists of a capsid containing the viral RNA (the nucleocapsid). The 
nucleocapsid is surrounded by a membrane, similar to the cellular one, but enriched with a special pro- 
tein. The virus is brought into the cell by phagocytosis, thus wrapped by an additional membrane layer. 
An endosome compartment is merged with the wrapped-up virus. At this point, the virus uses its special 
membrane protein to trigger the exocytosis process that leads the naked nucleocapsid into the cytosol, 
ready to damage it. By summarising, if the cell gets close to a virus, then it evolves into an infected cell. 
The complete evolution of the viral infection is reported in Table [8} while the main analysis entries are 
in Table |9] The specification includes the PEP version of Brane calculus, whose syntax and reduction 
semantics is reported in Table[6] This further set of PEP actions CErep) are inspired by endocytosis and 
exocytosis processes. The first indicates the process of incorporating external material into a cell, by 
engulfing it with the cell membrane, while the second one indicates the reverse process. Endocytosis 
is rendered by two more basic operations: phagocytosis (denoted by phago), that consists in engulfing 
just one external membrane, and pinocytosis (denoted by pino), consists in engulfing zero external mem- 
branes; exocytosis is instead denoted by exo. The CPA for the calculus can be straightforwardly extended 
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Figure 1: Viral Infection (highlighted part) and Reproduction. [Adapted from ^ and j^] 



to deal with the Phago/Exo/Pino (PEP) actions, as shown in Table [7] 



g ::= pliago„ \ phago^{p) \ exo„ \ exo^ \ pino{p) Zpep 

[Phago] pliago„.a\ao{P)^"' o pliago^{p).z\To{Q)''Q T\zo{p{(j\(Jo.{Pyy oQ)^'Q 
where = Mlphago {phago„ , jXp , phago^ {p),jXQ,llgp,jXp,jx) 
and pL identifies the closest membrane surrounding pip in the context figpfip 

(Exo) exo^.T\xo{exo„.a\ao{P)t"' oQ)t'Q ^ Poa\aQ\x\xo{Q)''e 

{Pino) pino{p).o\ao{PY'' ^ C7|cJo(p()'"' oP)''^ 

where jXp = Mlpino {pino {p),iip,^gp,iJ.p,ii) 

and jj. identifies the closest membrane surrounding jj.p in the context HgpUp 



Table 6: Syntax and Reduction Rules for PEP Actions. 

Roughly, the analysis results allow us to predict the effects of the infection. Indeed, the inclusion 
l^nucap £ --^ {*7*,i^memh) reflects the fact that, at the end of the shown computation, nucap is inside 
membrane together with cytosol' that is equivalent to cytosol, apart from the label pLph-endo that decorates 
the enclosed membrane endosome. Furthermore, we can check our properties in this systems. As far as 
the spatial structure properties, we can prove here, e.g., that (i) the capability exo^ never affects the 
membrane labelled jip^ (as exo-^ ^ {* , IJ-memh, f^ph))', and that (ii) the membrane Hvims never ends up 
inside the membrane labelled jXendo (as IJ^vU-us {*,iJ'memb,l^endo))- Furthermore, we can observe that 
the CFA captures the dependency of the synchronisation on mate on the synchronisation on phago, 
since we have that {mate,lJ.ph,mate^,lJ.endo,*,*,IJ-memb) S 'tf{lJ.ph-endo), and /Xp/, is such that we have that 
(phago, IJ.virus,phago^,H,„emb, *,*,*) G '^{l^ph)- 
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{Phago) phagOn G ^{Hp,H,IXp) Aphago^{p) G J^(/lp,/l, /Xg) A/lp,/!^ G ^{Hgp,Hp,n) A 
((Mp,i",M/'),(i"p,i",Me)) 

^ A(p) C j^{h,Hq,Hk) g j^{Hp,ix,ixq) g J^{h,Hq,ixr) 
where /Ir = Mlphago {phagOn , , phago^ {p),iJ.Q,iJ.gp,Hp,n) 
(Exo) exon G J^(At,AtQ,Atp) Af'jcoj- G J{}Xp,}X,}XQ) AjXp G J {}Xp,}X,}Xq) A}Xq G ^ {}Xgp,}Xp,}x) 

(Pino) pino (p ) G (/ip , /i , /Ip) A ^ip G ^ (/l^p , Mp , M ) 

^A(p) C y{^,IJ.p,HR)AHR G J{lXp,}X,pip) 
where ^p = Mlpjno (;?/?2o (p ),fXp,iJ.gp,iJ.p,n) 



Table 7: Closure Rules for PEP Actions 



virus — phago. exo (nucap) ^"''"^ membrane — \ phago {mat e)\\exo 

nucap = \bud\X{vRNA)^"''^''i' cytosol — endosome oZ 

cell ''^ membrane (cytosol)^'"™'' endosome \mate-^\\exo-^ ()^""'° 

virus o cell 

= {phago. exo) {nucap) o {\phago^{mate)\\exo^){cytosol)^"'"''^ phago 
{\phago-^{mate)\\exo-^){mate{exo{nucap)^^''"")^p'' o {]mate-^\\exo-^){)^^"''o oZ)^'"™* 
{lphago^{mate)\\exo^){{lmate^\\exo^){exo{nucap)'^^'"")'^i''''<'"'''' oZ)^'"™'* 
( ! phago^ {mate) \ lexo^ ) { {\mate^ \ \exo^ ) {) ^p'^-""!" o nuca poZ) f^memb ^ 
membrane {nucap o cytosol')^'"™'' 



Table 8: Viral Infection System and its Evolution 



l^nucap G '-^ {*,*, IJ-virus) : IJ-endo G '-^ {* , * , jJ-memb) i l^-virus 1 1J^memb G ^ {*,*,*) 

phago, exo G ■y{*,*,lXyirus),phago^{mate),exo^ G *, Mmem^)) 

mate G ■, ^^membj t^ph) j t^ph G (*) *;/^m«mfe)) Mvirwi G {* ^Imembi t^ph) i 

mat e , ^XO G ( * , ^memh 1 t^endo ) 
t^micap G {^membi ^^phi ^^virus) 1 

t^ph-endo G <^ fJ^memb) t f^virus G ^ {'^ ■, ^membt ^^ph-endo) i 
mat e , exo G =^ ( * , fimemb ; f^ph-endo ) 
t^nucap G {^membj t^ph-endoT f^virus\ 
t^nucap G (*) *; /^memfo) ; 
t^ph—endo G j * j f^memh^ 

{phago, IJ.virus,phagO^,IJ.memb, *,*,*) G '^(jUpA) 

{mate, Hph,mate^ , jj-endo,*,*, l^memh) G '^(/ip/,- 



-endo ) 



Table 9: Viral Infection Analysis Results 
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7 Conclusions 



We have presented a refinement of the CFA for the Brane calcuh H, based on contextual and causal 
information. The CFA provides us with a verification framework for properties of biological systems 
modelled in Brane, such as properties on the spatial structure of processes, in terms of membrane hierar- 
chy. We plan to formalise new properties like the ones introduced here. 

We have found that the CFA is able to capture some kinds of causal dependencies lU arising in the 
MBD version of Brane Calculi. As future work, we would like to investigate thoroughly and formally 
the static contribution of the CFA in establishing causal relationships between the Brane interactions. 
Acknowledgments. We wish to thank Francesca Levi for our discussion on a draft of our paper and our 
anonymous referees for their useful comments. 
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A Proofs 



This appendix restates the lemmata and theorems presented earlier in the paper and gives the proofs of 
their correctness. To establish the semantic correctness, the following auxiliary results are needed. 

Proposition 1. If J \=^"^^' P and J^{\lp,\l,\lx) C j^{Hp,ix,iX2), then J ,m P. 

Proof. By structural induction on P. We show just one case. 

Case P = o{PY'- We have that J ,M |=A'pM/Ji p is equivalent to \is G J {\Lp,\L,\Ly) A A(a) C 
J[ii,\ix,]X,) A J^,'^,^ |=/JMiM. p'. Now, \x, £ j^(/ip,/i,jUi) and J'ijXp.jX.pLi) C J^[}Xp,}X,}X2) and 
A{o) C J'{iJ.,iJ.i,iJ.^) imply /i^ e J^(/Xp,/X,/X2) and A(a) C j^(jU,jU2,/ii). Therefore, by induction hy- 
pothesis, we have that J |='^pA'A'2 p □ 

Proposition 2. If o = x then A{o) =A{t). 

Proof. The proof amounts to a straightforward inspection of each of the clauses defining the structural 
congruence clauses relative to membranes. We only show two cases, the others are similar. 
Case Oq\o\ = 0\\oq. We have that A(ao|ai) = A(ao) UA(ai) =A{o\_\oo). 

Case a = T =^ o\p = x\p. We have that A{o\p) = A{o) U A(p). Now, since a = f, we have that 
A(a) =A(t) andtherefore A((7|p) =A(t) U A(p), from which the required A(t|p). □ 

Lemma 4.1 (Invariance of Structural Congruence) If P = Q and we have that J ,M \=^sv\^p^ p 
then also J ,S^. |=A'spA'pM q 

Proof. The proof amounts to a straightforward inspection of each of the clauses defining the structural 
congruence clauses. We only show two cases, the others are similar. 

Case PqoPx= Pi oPq. We have that J^,^,^ ^p-spP-p\>- p^ oPi is equivalent to J |=Mgp/^pM p^ ^ 

J^,'r,=^ |=/i?pA'pM Pi, that is equivalent to J |=MgpA'pM Pj a J^,^,^ ^/JspMp/j p^ and therefore to 
J^X,^ |='^;;pMpMPioPo. 

Case P = Q N a = 1: ^ a{P)^' = 'T{Q)^^\We have that J^,"^,^ \=^^sp^^P^^ a{P)f^' is equivalent to /x,. G 
^{lXgp,Hp,H) A A(a) C J^{Hp,n,n,) A |=M,./^A p. By Proposition|i| A(t) C J^{Hp,n,^,), 

and by induction hypothesis, we have that J^,'i^,^ |— Mp.M.K! q As a consequence, we can conclude that 

^,<r,=^ l=Mj/'A'pM t{q)^'\ □ 

Theorem 4.2 (Subject Reduction) 

IfP e c^,^,^ |=MspMpM p ^/^o ^,<r,=^ |=K<;pMpM g. 

Proof. The proof is by induction on P — The proofs for the rules {Par) and (Brane) are straightfor- 
ward, using the induction hypothesis and the clauses in Table |3] The proof for the {Struct) uses instead 
the induction hypothesis and Lemma 4. 1 . The proofs for the basic actions in the lower part of Table |2] 
are straightforward, using the clauses in Table [3] 

Case (Par). Let PbePoo Pj and QheP^oP^, with Pq P'q. We have to prove that J ,M ^^sr^pf' Q_ 
Now,y,'^,^ |=^'«p'^"^' P is equivalent to J^,"^,^ |=Mg,>MpM p^ a J^,^,^ ^^^SP^P^^ p^. By induction 
hypothesis, we have that J^^,'^,^ ^''^"'^p'' Pq, and from J^,^,^ \=^'sP^^P^' A J |=/^«p/^pM p^ 
we obtain the required ^p-sp\^pP- q_ 

Case (Brane). Let P be o{Po)^' and Q be o{Pq)^\ We have to prove that J^,^,^ ^t^sP^^P^ (^(^o)'''- 
Now J^,'rf,^ ^MgpMpMp is equivalent to have that /i., G J^(/Xgp,/ip,/i) A A(a) C J^(/Xp,/x,/ij) A 
J^X,^ 1=/^;^.^,^! Pq By induction hypothesis, we have that J^,'^,^ ^Mp-M-M- p^ We can therefore 
conclude that J^,'rf,^ |=Mgp/JpM q 
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Case (Struct). Let P = Pq, with Pq Pi such that A = Q. By Lemmas we have that J |=MgpMpM 

by induction hypothesis \^P■gp^^p\^ and, again by LemmajA] \=^^sp^^l>^^ q_ 

Case (Mate). Let P be maten.o\OQ{PoY'> omatej^ .t\Tq{P\Y' and Q be a|ao|T|To(^o o A)'"" ■ Then, 

J^X,^ |='^';f'''''^ P amounts to J^,"^,,:^ |='^«"'''''^ mafe„. a|ao(Po)'^ and J^,^,^ ^^^p^^pf" mate^ .z\zq{Pi)^^ 

and, in turn, to /io,Mi £ {jXgp,lXp,n), {mate„}UA{o)UA{0()) C J^{iJ.p^iJ.,iJ.Q), {mate^} U A{'t) U 

A (To ) C ^ (^p , ^ , ^1 ) , and ^ , '^f , ^ ^^"'^f Po and ^ , <r , ^ |='^"^''^i A ■ Note that, ( ( ^tp , M , Mo ) , (M/. , M , M i ) ) 
does not belong to Because of the closure conditions, from the above, we have, amongst the several 
implied conditions, that 3/^01 =^lmate{maten,IJ-o,mate^ ,ljLi,lJ.gp,ljLp,ljL) such that /^oi £ ^{l^gp,IJ-p,IJ-) A 
y{Hp,lx,Ho)UJ^{Hp,H,Hi) C ^{Hp,n,Hoi). Fmmy{Hp,n,Hi)cy{Hp,n,HQi) for / = 0, 1, we have 
that A(a) UA(ao) C J^(/Xp,/x,/ioi) and A(t)UA(to) C (/ip,/i,jUoi) and, by Proposition [T| we have that 
j^,<r,^ |=/JpMA)i p„ and J^,"^,^ |=MpA'Moi and hence the required |=MpM/^oi g_ 

Case (Bud). Let P be bud^{p).r\To{budn.o\oQ{P(i)^ o Pi)^i and 2 be the process p{a\ao{Po)^)^'' o 
'Z^Ito(Pi)'''- Now, J^,'^,^ |=^s"''"'' P is equivalent to /ii € {lXgp,lXp,lx), {W,;^(p)} UA(t) UA(to) ^ 
J^{Hp,H,Hi), and, moreover, J^,^,^ ^Mp^^Mi ZjM(i„.a|ao(Po)'"' and J ,M \=^p^i^^ Pi, from which 
we have that e J {]Xp,\x,\ix), UA(a) UA(ao) C (jj. , , fXo) , and J ,M \=.^^^^ Pq. Be- 

cause of the closure conditions, from above, we have that ^\Ir = Mlh^dibudn, iJ.o,budJl^ , Hi, Hgp, Hp, n) 
such that ;Ur g y{Hgp,Hp,n),A{p) C ^{Hp,h,Hr), G y{Hp,n,HR), and(J^(At,iUi,Ato) ^ ^{h,Hr,Hq) 
and J^(/Xi,/Xo) ^ '^{piR,IM)) (cond 2)). We have that J^,'^,^ 1=^8^/^?^^ g is equivalent to have that 
J^'i^m |='^s/'''p^' p(a|ao(Po)^'')'"' (1) and that J |=Mg,.MpM t|to(Pi)'" (2). For (1), we have to 
prove that \Lr g J {}igp,\Lp,\L), A(p) C J {\ip,\i,\LR) and J \=.^p^^r a|ao(Po)'^", that is equiv- 
alent to /^o G J{\ip,\i,\iR), A(a)UA(ao) C j^(/x,jUR,/io) and J |=A'^^«/^o pj-om the hy- 
potheses, we have that /^o G Since A(a) UA(ao) ^ J^(/i,/ii,/io) and (cond 2) we have 
A(a)UA(ao) C J[\i,\Ir). From J^,*^,^ ^m^'iA'o Pp, because of (cond 2) and Proposition [T| we 
have that J^,^,^ ^mm«Mo por (2), we have to prove that G J {\Xgp,\ip,\i), A(t) UA(to) C 
J' {\lp,\l,\L\) and c/^,"^,^ 1=/^;;^^! />j All these conditions are satisfied (see above). Therefore, we 
obtain the required J ,M \=.^^p^p^ Q. 

Case (Drip). LetPbe(iri>(p).a|ao(Po)'"' and 2bep()''«oa|ao(Po)'"'. We have that J^,'^,^ ^t^spt^P^^ p 
is equivalent to /Iq G {pigp,pLp,pL), {drip{p)}UA{o)\JA{oQ) C J'{iJ.p,iJ.,iJ.o), and J^,^,^ ^MpM/Jo 
Because of the closure conditions, from the above, = Mlanp{drip{p),iJ.o,iJ.gp,iJ.p,iJ.) such that 
Hr G y{lJ.gp,lJ.p,lJ.), A(p) C J^(/Ip,/x,/Xr). We have that J^,*^,^ |=^^spA'pA' g is equivalent to both 
J^X,^ |=/^.?pMpM p()/^/i and J^,^,^ ^MspMp/J a|ao(Po)'"'. The first condition is verified, because Hr G 
J'{lJ.gp,lJ.p,lJ.) and A(p) C The second amounts to /Xq G and A(a)U 

A(ao) C J^{iJ.p,n,Ho) and it is satisfied as well. We therefore obtain the required J' ,M \=^sp^pt^ Q_ 

□ 

Theorem 5.2 Given a process P including a membrane labelled }X, then ifc never appears on the mem- 
brane labelled /I, then the capability c never affects the membrane labelled }X. 

Proof. First of all, we observe that if c affects pL in P, then we have a contradiction, since it implies that 
c ^ {lJLgp,}JLp,}JL) for some context HgpHp. We now show that there exist no Q, Q' such that P — )■* Q^Q' 
such that c does not affect h in Q, while it does in Q'. The only case in which this can happen is when 
a (Bud) or a {Drip) is performed with parameter p including c. Indeed, the firing of such an action lets 
arise a new membrane affected by the corresponding parameter. We focus on the second one. Suppose 
we have in 2 a sub-process drip{p).a\Go{Qo)^ and that c occurs in p. This amounts to have that c can 
affect H in Q'. By theorem[T[ we have that {J^,M,'W) is an estimate also for Q. Nevertheless this implies 
that c G ^ {lJLgp,}JLp,}JL), thus leading to a contradiction. □ 



56 



